PowerShadow does not stop low level disk changes

Discussion in 'sandboxing & virtualization' started by flinchlock, Jun 14, 2007.

Thread Status:
Not open for further replies.
  1. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    In the LARGE PowerShadow thread, post #847, this was posted
    I was pretty confident I could test that claim.

    I sent a PM to @idle.newbie for more proof, and lots of proof was provided! :eek:

    So, I decided to test this on my machine.

    IF you bother to read the posts following post #847 by @idle.newbie, you will see I was pretty !@#$ing confused on what was happening. o_O

    So, I started a new test with a spare 6GB (Seagate ST36540A) drive and the LAN cable unplugged...
    1. ran Active@ Kill Disk - Hard Drive Eraser using "erases with one-pass zeros"
    2. load XP/SP2, created C: (5GB NTFS partiton for the system) & D: (1GB NTFS partition for data)
    3. loaded (via USB flash drive) SectorEditor v1.05 by Julie.Lau and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    4. just to make sure SectorEditor did not create any hidden data itself, ran Active@ Kill Disk and load XP/SP2 again
    5. loaded (via USB flash drive) PowerShadow 2.6, and activated PS in "Single shadow mode"
    6. loaded (via USB flash drive) SectorEditor v1.05 by Julie.Lau and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    7. using SectorEditor wrote "Mike32" into sector 32, and rebooted
    8. using SectorEditor view sector 32.... "Mike32" was there!

    1. ran SeaTools for DOS using "Erase Drive > Zero All"
    2. load XP/SP2, created C: (5GB NTFS partiton for the system) & D: (1GB NTFS partition for data)
    3. loaded (via USB flash drive) SectorEditor v1.05 by Julie.Lau and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    4. just to make sure SectorEditor did not create any hidden data itself, ran SeaTools and load XP/SP2 again
    5. loaded (via USB flash drive) PowerShadow 2.6, and activated PS in "Single shadow mode"
    6. loaded (via USB flash drive) SectorEditor v1.05 by Julie.Lau and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    7. using SectorEditor wrote "Mike32" into sector 32, and rebooted
    8. using SectorEditor view sector 32.... "Mike32" was there!

    1. ran Active@ Kill Disk - Hard Drive Eraser using "erases with one-pass zeros"
    2. load XP/SP2, created C: (5GB NTFS partiton for the system) & D: (1GB NTFS partition for data)
    3. loaded (via USB flash drive) HxD - Freeware Hex Editor and Disk Editor and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    4. just to make sure HxD did not create any hidden data itself, ran Active@ Kill Disk and load XP/SP2 again
    5. loaded (via USB flash drive) PowerShadow 2.6, and activated PS in "Single shadow mode"
    6. loaded (via USB flash drive) HxD - Freeware Hex Editor and Disk Editor and looked at the first cluster (sectors 0-62)... just the usual/normal stuff
    7. using HxD wrote "Mike32" into sector 32, and rebooted
    8. using HxD view sector 32.... "Mike32" was there!

    THE END!

    Mike
     
  2. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Nope, it doesn't.

    There was a Chinese trojan called "Zhusan" a few months back that directly erased the partition table and forced a system reboot. PS doesn't stop this at all.
     
  3. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,049
    Mike

    It would be interesting to try what you did with ReturnIL, and see what happens. It does survive killdisk, as I thought Powershadow did.

    What you did may be writing to an area of track 0 that no one bothers protecting because they use it.

    Pete
     
  4. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    I'll confirm finchlock's findings as true. PS protects system files and settings but not against low level changes that are done by the tools such as sector editor. I trashed my system and learned the hard way in full shadow mode using version 2.82. I wasnt sure how the tool worked and I did a overwrite fill of my entire drive, all seemed ok until I rebooted to find that my OS was gone and system could not find my partitions, only my floppy and dvd drive was being read as existing. Lesson learned hard. :rolleyes: Not to panic anyone but remember I had to run this tool and I trashed my system not any existing malware...but hey who knows they probably writing a script to do just that maybe a lot tougher than killdisk
     
  5. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    Yup, Returnil will be next to test, but I have other plans and can not get to my PC until July 8th.
    When I get back, I would also like to try killdisk the trojan on PS. I will PM you when I get back.

    Maybe, maybe not... how in the heck would you ever know?

    When I tried testing this where I got confused, I "think" I could also write to sector 100,000,000 that was in the middle of my drive C:. I thought that would of been protect, but I guess not.

    Mike
     
  6. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
  7. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Flinchlock

    RRRUUUULLLEEESSSS :thumb: at least fills a hardisk with a lot low values

    I would be interesting to see how EQS with stands this test. I tested EQS with DW against Killdisk and PC1 survived. I did not test PC 2 (GeSWall) because PC1 had MBR protection via the bios setup and PC2 had not (was not that brave).


    Regards K
     
  8. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    WOW! something worst than the killdisk trojan exists? solcroft how did you find out that powershadow didn't protect vs "Zhusan"? i wonder how sandboxie, defensewall, geswall, and VMware/Virtualbox would fair.
     
  9. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi,Solcroft; Nice to view your inputs. I have tried to locate this Zhusan trojan on Chinese web sites, but no luck. Can you kindly provide us some info or links so that we can know this nasty better. I do read Chinese. Thanks.
     
  10. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Oh dear ... now I need to find something to protect that low level disk changes ... o_O

    Any idea how or what I can use to protect the low leve disk changes?

    :ouch:
     
  11. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    amazingly i thought powershadow did, since someone on this forum tested it vs the killdisk trojan and powershadow survived (geswall, defensewall, and sandboxie do too). but now it seems that zhusan trojan is even more "low level" than the killdisk trojan :D

    i need to contact the support team over at gentlesecurity and see if they can test geswall against this nasty zhusan trojan. if anyone has a link to it. can you pm it to me so i can pm it to the guys at gentlesecurity?
     
  12. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    Re: Zhusan trojan

    Refer to the attached images to see what happens when this trojan is executed.

    Any HIPS that can block low-level disk access (EQSecure, SSM Pro) will stop this. SandboxIE will as well. Not sure about GesWall since I don't use it.
     

    Attached Files:

  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    No links to malware on the forums please.
     
  14. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Re: Zhusan trojan

    The Chinese characters (old style and not the simple Chinese characters) actually say:

    (You are) Looking for trouble?

    "Pig three" - word for word translation but I think it actually means more like: "Idiot", "idiot ha aha", " definitely idiot" "you are doomed (or wait for death)" "ha ha ...".


    Does SSM free prevents this low-level disk access ?

    o_O
     
  15. EASTER.2010

    EASTER.2010 Guest

    Food for thought so nice experiment, BUT REMEMBER! Tools like SectorEditor are just that TOOLS. And there MUST be an access path into the Low Level of the Disk for emergency recovery/rescue process or else user is left with no recourse for recovery.

    We're speaking of TOOLS, not malware here, although KillDisk Trojan is formidable it was PROVEN already to not have the muscle (code) to penetrate in order to do any damage.

    REMEMBER! You're talking TOOLS here.
     
  16. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    Re: Zhusan trojan


    1. It means : you r going to be killed, just wait for your death.
    This kind of stuff is quite boring, just like a joke. I prefer to consider the virus author as an idiot.
    Luckly,as I set TINY to block any unknown software , these there pigs can't run in my system.
    2. Sadly, SSM free can not prevent low-level disk access.
     
  17. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    i agree 100%, but what worries me is what solcroft mentions in the second post on this thread :

    that is what's causing me concern :)
     
  18. mitchelson

    mitchelson Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    69
    IN FACT, 猪三cannot pass PowerShadow, some one has done the experiment. Run "zhusan" in full shadow mode, reboot, and everything is ok.

    hxxp://bbs.deepin.org/simple/index.php?t183650.html
     
    Last edited by a moderator: Jun 15, 2007
  19. EASTER.2010

    EASTER.2010 Guest

    Thanks for the link mitchelson

    Someone check me on this but EQSecure DOES in fact alert/stop Low-Level Disk Access or else just alerts to it.

    I'm too busy this week making a Library of backups to all sorts of media for safekeeping (tons of data) to try to fracture PS or run something thru it into the disc at Low Level.

    Be Cool

    Be Safe

    Have Fun
     
  20. zopzop

    zopzop Registered Member

    Joined:
    Apr 6, 2006
    Posts:
    632
    hello. i just get "?" instead of letters on that page. i think i'm missing a language pack or something. what does the page say?
     
    Last edited by a moderator: Jun 15, 2007
  21. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    I noticed all the tests were run in 'single shadow mode', I wonder if running in 'full shadow mode' would have made a difference.

    As far as the trojan mentioned. I'm not sure what it does, but if it just destroys your system, there are worse things to worry about. Also, what are the chances of this happening? For now, your probably more likely to get struck by lightning :eek:. A layered security defense should protect you nicely. I realize this is just a test, but in the real world, I would assume the situation would be different.

    Running as a limited user, FireFox with NoScript, FW with HIPS, up to date AV and AS/AMs and a patched OS with patched web applications should only allow the smallest of windows for 'malware' to enter. The largest vulnerability I can think of to my system right now is typing this post. And what if the 'what if sceniro' happens? This is why you need a back-up solution to recover.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    How to do that?
     
  23. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    HI, FOLKS; Thanks, Mitchelson for the link. I viewed it(Chinese ), perhaps can sum up this way: The test result are:
    (1) in PS's full mode, Zhusan trojan can not compromise your system upon AUO-restart.
    (2) with EQ's protection, Zhusan Trojan can be intercepted by EQ at low level. After that your system runs smoothly, no adverse effects. However, after a MANUAL RESTART, your boot screen will be gone except one blinking thing. If you are smart enough by repairing MBR prior to manual restart, this mishap can be avoided.
    Since I am not an expert in this, I will leave this interpretation job to some guru friends. Anyone interested in taking over?
     
  24. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Per the PS forum 2.82 protects the MBR.
     
  25. flinchlock

    flinchlock Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    554
    Location:
    Michigan
    I would love to test this. :D :D :D :D :D

    But, I am packing for a three week trip and leave at 4am tomorrow (Saturday), but I am sneaking away to Wilders while the wife is not looking. :eek:

    Mike
     
    Last edited: Jun 15, 2007
Loading...
Thread Status:
Not open for further replies.